https://pulumi.com logo
Title
b

billowy-night-21439

05/10/2023, 3:38 PM
Howdy, I'm hitting issues with the aws python provider, I have my ~/.aws folder setup with a config and credentials file, with multiple profiles in the config file. I've tried to set the profile to use as an env var, and in the pulumi config, both according to the docs, and I keep getting the below error. N.B. The error is not true, I can use that profile with the aws cli, and have been for years, without issue. Any pointers would be greatly appreciated
AWS Error: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: XXXXXXX, api error AccessDenied: User: arn:aws:iam::XXXXXXXXX is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXX
m

millions-furniture-75402

05/10/2023, 4:22 PM
Does the following work with your profile?
aws --profile my-profile sts get-caller-identity
b

billowy-night-21439

05/11/2023, 8:07 AM
$ aws --profile my-profile sts get-caller-identity
{   
    "UserId": "XXXXXXXXXXXXXXXX:botocore-session-1234567890",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/my-profile-role/botocore-session-1234567890"
}
yeah, returns what you'd expect, yet pulumi preview/up throws the 403 error
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
$(aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/my-profile-role \
--role-session-name MySessionName \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text))
running this before the pulumi cmd does work
m

millions-furniture-75402

05/11/2023, 12:05 PM
How are you managing your Pulumi state? self-hosted or the Pulumi service?
b

billowy-night-21439

05/11/2023, 12:06 PM
in a cloud storage bucket(using pulumi for GCP for over a year and now venturing into AWS)
m

millions-furniture-75402

05/11/2023, 12:06 PM
Sorry, your state backend for this AWS deployment is managed in GCP or is it in AWS as well?
b

billowy-night-21439

05/11/2023, 12:07 PM
s3 for AWS 🙂
pulumi login <s3://my-pulumi-bucket?profile=my-profile>
this is the login cmd and it works fine
m

millions-furniture-75402

05/11/2023, 12:08 PM
Okay, that's the question I was leading towards, whether your pulumi bucket was declared in in the backend of your
Pulumi.yaml
Try adding this to it, replacing your region
?region=us-east-1&awssdk=v2
you can also validate that you're successfully communicating with the state bucket with:
pulumi whoami
b

billowy-night-21439

05/11/2023, 12:09 PM
theres no issue with the login cmd, can do stack select etc after it. It's purely with up/preview/destroy not asuming the role
m

millions-furniture-75402

05/11/2023, 12:10 PM
Alright
What fields do you use in your aws profile? Are they all supported by the provider? e.g.
mfa_serial
is not
b

billowy-night-21439

05/11/2023, 12:13 PM
no MFA on this, all profiles are like so:
[profile my-profile]
source_profile=default
role_arn = arn:aws:iam::123456789012:role/my-profile-role
output = json
region = ap-northeast-1
m

millions-furniture-75402

05/11/2023, 12:15 PM
That looks okay. You could try specifying an explicit provider if you aren't already, and passing that in the opts of your resource declarations.
or try explicitly adding an
sts_region
to your profile
b

billowy-night-21439

05/11/2023, 12:18 PM
I've set AWS_REGION in the env as sts complained without it. Just find it odd that with boto/aws cli the way my config/credentials are setup work without issue, and for pulumi to use them I have to run the assume-role/export cmd above (so its not really using them, I'm forcing it around them)
m

millions-furniture-75402

05/11/2023, 12:19 PM
If you're using the latest MAJOR AWS provider, you should be aware that there was a breaking change in the underlying terraform provider. You cannot expect environment variables to override profile values like you could in the previous version.
b

billowy-night-21439

05/11/2023, 12:40 PM
Thanks for the info. Ideally I'd like to not have to set env vars but when I add these values to the pulumi config yaml I get the same false error. The only way I've gotten pulumi to work is by exporting the results from the sts cmd as env vars